997c7d68c6bd950696c41355332836154355baaa85c69aa10053c09c2d72227e

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ransom.bat
Size

77KB
MD5

2ead52101ac64917c03594a43fd1459a
SHA1

1c58bfdf2eddb21d0db34aa77d2a7dc1f9e03812
SHA256

997c7d68c6bd950696c41355332836154355baaa85c69aa10053c09c2d72227e
SHA512

1a1433b9d777177b006b271d3dea74c200b5f51139ae045ce417984b8501ab9a81a73122169c8f26e6431a6cb8f9581afdfa28dd0d83a6b1bc9596c661b72ffb
SSDEEP

384:PqmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTm6:3jcIm8KcBn7Vl9oemQes2kfbx

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1652	1448	cmd.exe	29
PID 1448 wrote to memory of 1652	1448	cmd.exe	29
PID 1448 wrote to memory of 1652	1448	cmd.exe	29
PID 1448 wrote to memory of 2412	1448	cmd.exe	30
PID 1448 wrote to memory of 2412	1448	cmd.exe	30
PID 1448 wrote to memory of 2412	1448	cmd.exe	30
PID 1448 wrote to memory of 2260	1448	cmd.exe	31
PID 1448 wrote to memory of 2260	1448	cmd.exe	31
PID 1448 wrote to memory of 2260	1448	cmd.exe	31
PID 1448 wrote to memory of 3012	1448	cmd.exe	32
PID 1448 wrote to memory of 3012	1448	cmd.exe	32
PID 1448 wrote to memory of 3012	1448	cmd.exe	32
PID 1448 wrote to memory of 2392	1448	cmd.exe	33
PID 1448 wrote to memory of 2392	1448	cmd.exe	33
PID 1448 wrote to memory of 2392	1448	cmd.exe	33
PID 1448 wrote to memory of 3008	1448	cmd.exe	34
PID 1448 wrote to memory of 3008	1448	cmd.exe	34
PID 1448 wrote to memory of 3008	1448	cmd.exe	34
PID 1448 wrote to memory of 2600	1448	cmd.exe	35
PID 1448 wrote to memory of 2600	1448	cmd.exe	35
PID 1448 wrote to memory of 2600	1448	cmd.exe	35
PID 1448 wrote to memory of 2872	1448	cmd.exe	36
PID 1448 wrote to memory of 2872	1448	cmd.exe	36
PID 1448 wrote to memory of 2872	1448	cmd.exe	36
PID 1448 wrote to memory of 2640	1448	cmd.exe	37
PID 1448 wrote to memory of 2640	1448	cmd.exe	37
PID 1448 wrote to memory of 2640	1448	cmd.exe	37
PID 1448 wrote to memory of 2716	1448	cmd.exe	38
PID 1448 wrote to memory of 2716	1448	cmd.exe	38
PID 1448 wrote to memory of 2716	1448	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ransom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.enc"
  2⤵
  PID:1652
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.enc"
  2⤵
  PID:2412
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1F75.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1F75.txt.enc"
  2⤵
  PID:2260
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1FD7.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1FD7.txt.enc"
  2⤵
  PID:3012
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1F75.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1F75.txt.enc"
  2⤵
  PID:2392
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1FD7.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1FD7.txt.enc"
  2⤵
  PID:3008
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013010_697.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013010_697.txt.enc"
  2⤵
  PID:2600
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013011_945.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013011_945.txt.enc"
  2⤵
  PID:2872
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.enc"
  2⤵
  PID:2640
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_012943179-MSI_netfx_Full_x64.msi.txt" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_012943179-MSI_netfx_Full_x64.msi.txt.enc"
  2⤵
  PID:2716

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads